Bug#650536: ITM: Please review hardening-support branch to fix #650536 (Was: Re: Bug#650536: update!)

["Niels Thykier" <niels@thykier.net>]

On Apr 1, 2012 09:21 "Kees Cook" <kees@debian.org> wrote:
> Hi Niels,
> 
> On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> > I have started an unofficial branch[1] to get something more
> > concrete on
> > this.  I decided to rename the tags so they had a common prefix (it
> > simplified the updated to t/scripts/implemented-tags.t).
> 
> Attached is a patch to clean up the remaining tests that still needed
> stack protector and fortify to show up in their binaries.
> 

Hi,

Thanks, I have pushed it to my branch (with a minor change to also update
the Depends of lintian in d/control).

Kees, btw, are you certain of the copyright statements in
collection/hardening-info?

"""
# The original shell script version of this script is
# Copyright (C) 1998 Christian Schwarz
#
# The objdump version, including support for etch's binutils, is
# Copyright (C) 2008 Adam D. Barratt
#
# This version, a trimmed-down wrapper for hardening-check, is
# Copyright (C) 2012 Kees Cook <kees@debian.org>
"""

I suspect some of it is copy-waste from collection/objdump-info...

> > Last I checked we still have an "outstanding issue" hardening-check
> > using ldd, which I am not certain will work with "foreign" binaries
> > (see
> > comment #39).  I suspect it will mostly affect people who do
> > cross-builds and lintian.d.o[2].
> 
> And this should be taken care of now in hardening-includes 2.0, which
> uses a hard-coded list of libc functions instead of trying to build
> the list at runtime.
> 

Awesome, :)

> After this patch, the TODO's single remaining item is:
> 
>     + revise tag certainty and description:
>       - overrides (we can't do much about FP etc.)
> 
> What is needed for this? Should I expand the descriptions more? Or was
> there something else?
>

It was mostly a reminder to myself to review them and maybe add a
"disclaimer" on the false-positives.

There was also something else, namely making the test suite able to
handle the architecture specific nature of the hardening tags.  I
have committed some code to handle this.[0]  Assuming no one objects
to the approach, I think we are more or less good to go.

Optimally, Lintian would handle the architecture specific part of
these tags better in terms of overrides so people do not have to
maintain the archlist for their overrides.  However, that can come
in Lintian 2.5.8 or some later time (if at all).

> 
> Thanks!
> 
> -Kees
> 

I have rebased the branch and it is now available from [1] and I
intend to merge it into master before we do the 2.5.7 release.
As mentioned, I have added a new test suite hook[0], which some
may (or may not) find controversial.

Assuming no comments/objections, I intend to merge the branch
into master before the end of Easter.

~Niels

[0] http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=commit;h=0ce4b89f515afac59358090174c5dd794e887e1e

[1] http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=shortlog;h=refs/heads/hardening-support-rebased-ee869db

The "pre-rebase" variant is available as:

http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=shortlog;h=refs/heads/hardening-support